Implementation of Cobalt Strike Beacon

Devata Rohan

September 13, 2021

This Monday, Researchers disclosed a newly discovered Linux and Windows enactment of Cobalt Strike Beacon, which actively set its sight on government, telecommunications, IT, and financial institutions worldwide. The yet-to-be-detected version of penetration testing tool, also code-named “Vermilion Strike,” has marked one of the rare Linux Ports, i.e., a windows based red team tool heavily used to mount an array of specified attacks. Cobalt strike bills itself as a “threat emulation software.” The slinky sample uses cobalt strike’s command-and-control (C2) protocol when communicating to the C2 server. It also has remote access capabilities like uploading files, running shell commands, and changing access to files. The Israeli cybersecurity company’s findings come from an artifact uploaded to VirusTotal on Aug 10 from Malaysia. The fact is that only two anti-malware engines flagged the file as malicious. Once this file gets installed, the malware runs automatically in the background and decrypts the configuration necessary for the beacon to function, and establishing the communications with a remote server over HTTP or DNS to retrieve encoded files, run arbitrary commands. Once installed, the malware runs itself in the background and decrypts the configuration necessary for the beacon to function. This is far from the first time the legitimate security testing toolkit has been used to coordinate attacks against many targets. Recently a U.S.security firm Secureworks detailed a spear-phishing campaign taken by a threat group tracked as Tin Woodland (aka APT32 or OceanLotus) that leveraged an enhanced version of the strike to avoid security countermeasures in an attempt to steal property and trade secrets.

Abridged fromThe Hacker News